Tp Link Tp Link

Do you want an email whenever new security vulnerabilities are reported in any Tp Link product?

Products by Tp Link Sorted by Most Security Vulnerabilities since 2018

Tp Link Eap Controller6 vulnerabilities

Tp Link Tapo2 vulnerabilities

Tp Link Archer C501 vulnerability

Tp Link Omada Controller1 vulnerability

Tp Link Td 88161 vulnerability

Tp Link Wr840n1 vulnerability

Known Exploited Tp Link Vulnerabilities

The following Tp Link vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
TP-Link Archer AX-21 Command Injection Vulnerability TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution. CVE-2023-1389 May 1, 2023
TP-Link Multiple Archer Devices Directory Traversal Vulnerability Directory traversal vulnerability in multiple TP-Link Archer devices allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/. CVE-2015-3035 March 25, 2022

By the Year

In 2024 there have been 0 vulnerabilities in Tp Link . Last year Tp Link had 2 security vulnerabilities published. Right now, Tp Link is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 2 7.00
2022 1 7.50
2021 0 0.00
2020 2 6.50
2019 0 0.00
2018 7 7.60

It may take a day or so for new Tp Link vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Tp Link Security Vulnerabilities

Incorrect access control in TP-Link Tapo before v3.1.315

CVE-2023-34829 6.5 - Medium - December 28, 2023

Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.

Cleartext Transmission of Sensitive Information

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14

CVE-2023-38907 7.5 - High - September 25, 2023

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via session key in the message function.

TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is

CVE-2021-44032 7.5 - High - March 10, 2022

TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is allowed. An attacker can bypass the captive portal authentication process by using the downgraded "no authentication" method, and access the protected network. For example, the attacker can simply set window.authType=0 in client-side JavaScript.

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL

CVE-2020-12695 7.5 - High - June 08, 2020

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Incorrect Default Permissions

TP-Link Omada Controller Software 3.2.6

CVE-2020-12475 5.5 - Medium - May 04, 2020

TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar.

Directory traversal

The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices

CVE-2018-5393 9.8 - Critical - September 28, 2018

The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode.

Missing Authentication for Critical Function

TP-Link WR840N devices

CVE-2018-14336 7.5 - High - July 19, 2018

TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.

Improper Input Validation

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows

CVE-2018-10164 5.4 - Medium - May 03, 2018

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.

XSS

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows

CVE-2018-10165 5.4 - Medium - May 03, 2018

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.

XSS

The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms

CVE-2018-10166 8.8 - High - May 03, 2018

The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.

Session Riding

The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows

CVE-2018-10167 7.5 - High - May 03, 2018

The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.

Use of Hard-coded Credentials

TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API

CVE-2018-10168 8.8 - High - May 03, 2018

TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.

Improper Privilege Management

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header

CVE-2013-6786 - January 16, 2014

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.